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Amendments to the Claims 

This listing of claims will replace all prior versions, and listings, of claims in the 
application. 

1-20. (cancelled) 

21. (previously amended) A system comprising: 

a network; and 

one or more machines coupled with the network, each machine comprising a 
communication interface and a memory including an execution area configured to 
perform operations to examine a set of instructions embodying an invoked application to 
identify the invoked application, obtaining application-specific intrusion criteria, the 
application-specific intrusion criteria including intrusion signatures and behavior criteria, 
and monitoring network communications for the invoked application for application- 
specific intrusion signatures and abnormal application behavior to detect an intrusion. 

22. (original) The system of claim 21, wherein the application-specific intrusion criteria 
comprises a normal communication behavior threshold. 

23. (cancelled) 

24. (previously amended) The system of claim 21, wherein to monitor network 
communications comprises to monitoring network communications in a network 
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intrusion detection system component running in an execution context with the invoked 
application. 

25. (previously amended) The system of claim 24, wherein the operations further 
comprise to provide an application-specific remedy for a detected intrusion. 

26. (previously amended) The system of claim 25, wherein to provide an application- 
specific remedy comprises cutting at least a portion of the network communications for 
the invoked application. 

27. (previously amended) The system of claim 24, wherein each machine further 
comprises a local repository and a security operation center, the security operation center 
includes a master repository, and wherein to obtain the application-specific intrusion 
criteria comprises to: 

request the application-specific intrusion criteria from the local repository; 

request the application-specific intrusion criteria from the master repository if the 
application-specific intrusion criteria is unavailable in the local repository; 

receive the application-specific intrusion criteria from the master repository if 
requested; and 

receive the application-specific intrusion criteria from the local repository. 

28. (previously amended) The system of claim 24, wherein to examine the set of 
instructions comprises to: 
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apply a hash function to the set of instructions to generate a condensed 
representation; and 

compare the condensed representation with existing condensed representations for 
known applications. 

29-30. (cancelled) 

31. (original) A detection method, comprising: 

examining a set of instructions embodying an invoked application to identify the 
invoked application; 

obtaining application-specific intrusion criteria, the application-specific intrusion 
criteria including application-specific intrusion signatures and behavior criteria; and 

monitoring network communications for the invoked application for application- 
specific intrusion signatures and abnormal application behavior to detect an intrusion. 

32. (original) The method of claim 31, wherein examining a set of instructions 
embodying an invoked application to identify the invoked application comprises: 

applying a hash function to the set of instructions to generate a condensed 
representation; and 

comparing the condensed representation with existing condensed representations 
for known applications. 
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33. (original) The method of claim 31, wherein network communications are monitored 
for application-specific intrusion signatures that correspond to the identified invoked 
application. 

34. (original) The method of claim 31, further comprising unloading the application- 
specific intrusion signatures corresponding to the identified invoked application when the 
identified invoked application is terminated. 

35. (original) The method of claim 31, further comprising tracking one or more 
characteristics of the network communications to identify application-specific abnormal 
communication behavior. 

36. (original) The method of claim 35, wherein tracking one or more characteristics of the 
network communications comprises comparing the one or more characteristics with one 
or more configurable thresholds. 

37. (original) The method of claim 35, wherein monitoring network communications 
comprises monitoring network communications in a network intrusion detection system 
component invoked with the invoked application. 

38. (original) The method of claim 37, wherein the network intrusion detection system 
component and the invoked application run within a single execution context. 
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39. (original) The method of claim 31, further comprising operations to provide an 
application-specific remedy for a detected intrusion. 

40. (original) The method of claim 39, wherein operations to provide an application- 
specific remedy for a detected intrusion comprises cutting at least a portion of the 
network communications for the invoked application and/or notifying a system 
administrator of the identified application-specific abnormal communication behavior. 

41. (original) The method of claim 31, wherein obtaining the application-specific 
intrusion detection signature comprises loading the application-specific intrusion 
detection signature from a local signature repository. 

42. (original) The method of claim 31, wherein obtaining the application-specific 
intrusion detection signature comprises: 

requesting the application-specific intrusion detection signature from a local 
signature repository in communication with a remote signature repository; and 

receiving the application-specific intrusion detection signature from the local 
signature repository. 

43. (original) A machine-readable storage medium embodying machine instructions for 
causing one or more processors to perform operations comprising: 

examining a set of instructions embodying an invoked application to identify the 
invoked application; 
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obtaining application-specific intrusion criteria, the application-specific intrusion 
criteria including application-specific intrusion signatures and behavior criteria; and 

monitoring network communications for the invoked application for application- 
specific intrusion signatures and abnormal application behavior to detect an intrusion. 

44. (original) The machine-readable storage medium of claim 43, wherein examining a 
set of instructions embodying an invoked application to identify the invoked application 
comprises: 

applying a hash function to the set of instructions to generate a condensed 
representation; and 

comparing the condensed representation with existing condensed representations 
for known applications. 

45. (original) The machine-readable storage medium of claim 43, wherein network 
communications are monitored for application-specific intrusion signatures that 
correspond to the identified invoked application. 

46. (original) The machine-readable storage medium of claim 43, further comprising 
unloading the application-specific intrusion signatures corresponding to the identified 
invoked application when the identified invoked application is terminated. 



-8- Yadav et al 

Appl.No. 10/066,070 

47. (original) The machine-readable storage medium of claim 43, further comprising 
tracking one or more characteristics of the network communications to identify 
application-specific abnormal communication behavior. 

48. (original) The machine-readable storage medium of claim 47, wherein tracking one or 
more characteristics of the network communications comprises comparing the one or 
more characteristics with one or more configurable thresholds. 

49. (original) The machine-readable storage medium of claim 47, wherein monitoring 
network communications comprises monitoring network communications in a network 
intrusion detection system component invoked with the invoked application. 

50. (original) The machine-readable storage medium of claim 49, wherein the network 
intrusion detection system component and the invoked application run within a single 
execution context. 

51. (original) The machine-readable storage medium of claim 43, further comprising 
operations to provide an application-specific remedy for a detected intrusion. 



